@fyresmith/hive-server 4.0.0 → 5.0.0

package/cli/env-file.js

@@ -1,5 +1,6 @@
 import dotenv from 'dotenv';
 import prompts from 'prompts';
+import { randomBytes } from 'crypto';
 import { access, mkdir, readFile, writeFile } from 'fs/promises';
 import { existsSync } from 'fs';
 import { dirname } from 'path';
@@ -57,37 +58,19 @@ export async function writeEnvFile(envFile, values) {
   await writeFile(envFile, serializeEnv(normalizeEnv(values)), 'utf-8');
 }
 
-export function inferDomainFromRedirect(redirectUri) {
-  if (!redirectUri) return null;
-  try {
-    const u = new URL(redirectUri);
-    return u.host;
-  } catch {
-    return null;
-  }
-}
-
-export function validateEnvValues(values) {
+export function validateEnvValues(values, { requireVaultPath = true } = {}) {
   const issues = [];
-  for (const key of REQUIRED_ENV_KEYS) {
+  const requiredKeys = requireVaultPath
+    ? REQUIRED_ENV_KEYS
+    : REQUIRED_ENV_KEYS.filter((key) => key !== 'VAULT_PATH');
+  for (const key of requiredKeys) {
     if (!String(values[key] ?? '').trim()) {
       issues.push(`Missing ${key}`);
     }
   }
 
   const port = parseInt(values.PORT ?? '', 10);
-  const yjsPort = parseInt(values.YJS_PORT ?? '', 10);
   if (!Number.isInteger(port) || port <= 0) issues.push('PORT must be a positive integer');
-  if (!Number.isInteger(yjsPort) || yjsPort <= 0) issues.push('YJS_PORT must be a positive integer');
-
-  try {
-    const uri = new URL(values.DISCORD_REDIRECT_URI ?? '');
-    if (!/^https?:$/.test(uri.protocol)) {
-      issues.push('DISCORD_REDIRECT_URI must use http or https');
-    }
-  } catch {
-    issues.push('DISCORD_REDIRECT_URI must be a valid URL');
-  }
 
   return issues;
 }
@@ -103,7 +86,14 @@ export async function ensureVaultPathReadable(pathValue) {
 }
 
 export async function promptForEnv({ envFile, existing, yes = false, preset = {} }) {
-  const current = normalizeEnv({ ...existing, ...preset });
+  const base = { ...existing, ...preset };
+
+  // Auto-generate secrets if not already set — never prompt for these
+  if (!String(base.JWT_SECRET ?? '').trim()) {
+    base.JWT_SECRET = randomBytes(32).toString('hex');
+  }
+
+  const current = normalizeEnv(base);
 
   if (yes) {
     await writeEnvFile(envFile, current);
@@ -111,21 +101,13 @@ export async function promptForEnv({ envFile, existing, yes = false, preset = {}
   }
 
   const questions = [
-    { name: 'DISCORD_CLIENT_ID', message: 'Discord Client ID' },
-    { name: 'DISCORD_CLIENT_SECRET', message: 'Discord Client Secret', secret: true },
-    { name: 'DISCORD_GUILD_ID', message: 'Discord Guild ID' },
-    { name: 'OWNER_DISCORD_ID', message: 'Managed vault owner Discord ID' },
-    { name: 'JWT_SECRET', message: 'JWT secret', secret: true },
-    { name: 'VAULT_PATH', message: 'Vault absolute path' },
     { name: 'PORT', message: 'HTTP port' },
-    { name: 'YJS_PORT', message: 'Yjs WS port' },
-    { name: 'DISCORD_REDIRECT_URI', message: 'Discord redirect URI' },
   ];
 
   const answers = {};
   for (const q of questions) {
     const response = await prompts({
-      type: q.secret ? 'password' : 'text',
+      type: 'text',
       name: 'value',
       message: q.message,
       initial: current[q.name] ?? '',

package/cli/flows/doctor.js

@@ -64,16 +64,11 @@ export async function runDoctorChecks({ envFile, includeCloudflared = true }) {
       }
     }
 
-    if (env.VAULT_PATH && env.OWNER_DISCORD_ID) {
+    if (env.VAULT_PATH) {
       try {
         const managedState = await loadManagedState(env.VAULT_PATH);
         if (!managedState) {
           info('Managed state not initialized yet');
-        } else if (managedState.ownerDiscordId !== env.OWNER_DISCORD_ID) {
-          fail(
-            `Managed owner mismatch: state=${managedState.ownerDiscordId} env=${env.OWNER_DISCORD_ID}`,
-          );
-          failures += 1;
         } else {
           success(`Managed state OK (vaultId ${managedState.vaultId})`);
         }

package/cli/flows/setup.js

@@ -5,11 +5,11 @@ import {
   DEFAULT_CLOUDFLARED_CONFIG,
   DEFAULT_TUNNEL_NAME,
   EXIT,
+  HIVE_HOME,
   HIVE_CONFIG_FILE,
-  LEGACY_ENV_FILE,
 } from '../constants.js';
 import { CliError } from '../errors.js';
-import { inferDomainFromRedirect, loadEnvFile, normalizeEnv, promptForEnv, validateEnvValues, writeEnvFile } from '../env-file.js';
+import { loadEnvFile, normalizeEnv, promptForEnv, validateEnvValues, writeEnvFile } from '../env-file.js';
 import { validateDomain } from '../checks.js';
 import { updateHiveConfig } from '../config.js';
 import { installHiveService } from '../service.js';
@@ -20,9 +20,11 @@ import {
   promptConfirm,
   requiredOrFallback,
   resolveContext,
-  setRedirectUriForDomain,
 } from '../core/context.js';
 import { runDoctorChecks } from './doctor.js';
+import { createVaultAtParent, initializeOwnerManagedVault } from '../../lib/setupOrchestrator.js';
+import { loadManagedState } from '../../lib/managedState.js';
+import { join } from 'path';
 
 export async function runSetupWizard(options) {
   const yes = Boolean(options.yes);
@@ -31,25 +33,10 @@ export async function runSetupWizard(options) {
 
   const { config, envFile } = await resolveContext(options);
   let nextConfig = { ...config, envFile };
-  let importedLegacy = false;
-
-  if (!existsSync(HIVE_CONFIG_FILE) && existsSync(LEGACY_ENV_FILE)) {
-    const shouldImportLegacy = await promptConfirm(
-      `Import existing legacy env from ${LEGACY_ENV_FILE}?`,
-      yes,
-      true
-    );
-    if (shouldImportLegacy) {
-      const legacyValues = await loadEnvFile(LEGACY_ENV_FILE);
-      await writeEnvFile(envFile, legacyValues);
-      importedLegacy = true;
-      success(`Imported legacy env into ${envFile}`);
-    }
-  }
 
   const envExists = existsSync(envFile);
   let envValues;
-  if (!envExists || importedLegacy) {
+  if (!envExists) {
     info(`Initializing env file at ${envFile}`);
     const existing = await loadEnvFile(envFile);
     envValues = await promptForEnv({ envFile, existing, yes });
@@ -63,39 +50,121 @@ export async function runSetupWizard(options) {
     }
   }
 
+  // Prompt for vault display name and owner account credentials
+  let vaultName = '';
+  let vaultParentPath = '';
+  let ownerEmail = '';
+  let ownerDisplayName = '';
+  let ownerPassword = '';
+  if (!yes) {
+    const nameResp = await prompts({
+      type: 'text',
+      name: 'name',
+      message: 'Vault display name (e.g. "Team Vault")',
+      validate: (v) => String(v).trim().length > 0 || 'Vault name is required',
+    });
+    vaultName = String(nameResp.name ?? '').trim();
+
+    if (!String(envValues.VAULT_PATH ?? '').trim()) {
+      const parentResp = await prompts({
+        type: 'text',
+        name: 'path',
+        message: 'Choose folder location for the generated vault (parent directory)',
+        validate: (v) => String(v).trim().length > 0 || 'Parent folder path is required',
+      });
+      vaultParentPath = String(parentResp.path ?? '').trim();
+    }
+
+    const acctResp = await prompts([
+      { type: 'text', name: 'email', message: 'Owner email (for dashboard login)' },
+      { type: 'text', name: 'displayName', message: 'Owner display name' },
+      { type: 'password', name: 'password', message: 'Owner password' },
+    ]);
+    ownerEmail = String(acctResp.email ?? '').trim();
+    ownerDisplayName = String(acctResp.displayName ?? '').trim() || 'Owner';
+    ownerPassword = String(acctResp.password ?? '');
+  }
+
+  const existingVaultPath = String(envValues.VAULT_PATH ?? '').trim();
+  if (!existingVaultPath) {
+    if (yes) {
+      vaultName = vaultName || 'Hive Vault';
+      vaultParentPath = vaultParentPath || join(HIVE_HOME, 'vaults');
+    }
+    if (vaultName && vaultParentPath) {
+      const generatedVaultPath = await createVaultAtParent({
+        parentPath: vaultParentPath,
+        vaultName,
+      });
+      envValues = { ...envValues, VAULT_PATH: generatedVaultPath };
+      await writeEnvFile(envFile, envValues);
+      success(`Generated vault at ${generatedVaultPath}`);
+    }
+  }
+
   const envIssues = validateEnvValues(envValues);
   if (envIssues.length > 0) {
     for (const issue of envIssues) fail(issue);
     throw new CliError('Env configuration is invalid', EXIT.FAIL);
   }
 
-  let domain = requiredOrFallback(
-    options.domain,
-    inferDomainFromRedirect(envValues.DISCORD_REDIRECT_URI) || nextConfig.domain
+  // Initialize owner account + managed vault when interactive setup provides credentials.
+  if (vaultName && ownerEmail && ownerPassword) {
+    const existingState = await loadManagedState(String(envValues.VAULT_PATH));
+    if (existingState) {
+      info('Managed vault already initialized; skipping owner and vault initialization.');
+    } else {
+      await initializeOwnerManagedVault({
+        vaultPath: envValues.VAULT_PATH,
+        vaultName,
+        ownerEmail,
+        ownerDisplayName,
+        ownerPassword,
+      });
+      success('Owner account created');
+      success(`Vault initialized: ${vaultName}`);
+    }
+  }
+
+  // Prompt for public server URL (used for invite claim redirects)
+  let hiveServerUrl = requiredOrFallback(
+    options.domain ? `https://${options.domain}` : '',
+    envValues.HIVE_SERVER_URL || (nextConfig.domain ? `https://${nextConfig.domain}` : ''),
   );
 
   if (!yes) {
     const response = await prompts({
       type: 'text',
-      name: 'domain',
-      message: 'Public domain for Hive server',
-      initial: domain,
+      name: 'url',
+      message: 'Public URL for Hive server (optional, used for invite links)',
+      initial: hiveServerUrl || '',
     });
-    if (response.domain !== undefined) {
-      domain = String(response.domain).trim();
+    if (response.url !== undefined) {
+      hiveServerUrl = String(response.url).trim();
     }
   }
 
-  if (!validateDomain(domain)) {
-    throw new CliError(`Invalid domain: ${domain}`);
-  }
+  if (hiveServerUrl) {
+    const updated = { ...envValues, HIVE_SERVER_URL: hiveServerUrl };
+    await writeEnvFile(envFile, updated);
+    envValues = updated;
+
+    // Derive domain for Cloudflare Tunnel config
+    let domain = nextConfig.domain;
+    try {
+      domain = new URL(hiveServerUrl).hostname;
+    } catch {
+      // ignore parse error
+    }
 
-  envValues = await setRedirectUriForDomain({ envFile, env: envValues, domain, yes });
+    if (domain && validateDomain(domain)) {
+      nextConfig = { ...nextConfig, domain };
+    }
+  }
 
   const shouldSetupTunnel = await promptConfirm('Configure Cloudflare Tunnel now?', yes, true);
   if (shouldSetupTunnel) {
     const port = parseInteger(envValues.PORT, 'PORT');
-    const yjsPort = parseInteger(envValues.YJS_PORT, 'YJS_PORT');
     const tunnelName = requiredOrFallback(options.tunnelName, nextConfig.tunnelName || DEFAULT_TUNNEL_NAME);
     const cloudflaredConfigFile = requiredOrFallback(
       options.cloudflaredConfigFile,
@@ -103,13 +172,17 @@ export async function runSetupWizard(options) {
     );
     const tunnelService = await promptConfirm('Install cloudflared as a service?', yes, true);
 
+    const domain = nextConfig.domain;
+    if (!domain || !validateDomain(domain)) {
+      throw new CliError(`Cannot configure tunnel: invalid or missing domain (${domain})`);
+    }
+
     const tunnelResult = await setupTunnel({
       tunnelName,
       domain,
       configFile: cloudflaredConfigFile,
       certPath: DEFAULT_CLOUDFLARED_CERT,
       port,
-      yjsPort,
       yes,
       installService: tunnelService,
     });

package/cli/tunnel.js

@@ -138,10 +138,9 @@ export async function writeCloudflaredConfig({
   credentialsFile,
   domain,
   port,
-  yjsPort,
 }) {
   await mkdir(dirname(configFile), { recursive: true });
-  const yaml = `tunnel: ${tunnelId}\ncredentials-file: ${credentialsFile}\n\ningress:\n  - hostname: ${domain}\n    path: /yjs/*\n    service: http://localhost:${yjsPort}\n\n  - hostname: ${domain}\n    service: http://localhost:${port}\n\n  - service: http_status:404\n`;
+  const yaml = `tunnel: ${tunnelId}\ncredentials-file: ${credentialsFile}\n\ningress:\n  - hostname: ${domain}\n    service: http://localhost:${port}\n\n  - service: http_status:404\n`;
   await writeFile(configFile, yaml, 'utf-8');
   return yaml;
 }
@@ -358,7 +357,6 @@ export async function setupTunnel({
   configFile,
   certPath,
   port,
-  yjsPort,
   yes = false,
   installService = false,
 }) {
@@ -379,7 +377,6 @@ export async function setupTunnel({
     credentialsFile,
     domain,
     port,
-    yjsPort,
   });
 
   info(`Ensuring DNS route for ${domain}`);

package/index.js

@@ -1,26 +1,20 @@
 import dotenv from 'dotenv';
 import { createServer } from 'http';
+import { existsSync } from 'fs';
 import { fileURLToPath } from 'url';
 import express from 'express';
 import { Server } from 'socket.io';
 import authRoutes from './routes/auth.js';
-import managedRoutes from './routes/managed.js';
+import dashboardRoutes from './routes/dashboard.js';
 import * as vault from './lib/vaultManager.js';
 import { attachHandlers } from './lib/socketHandler.js';
 import { startYjsServer, getActiveRooms, forceCloseRoom, getRoomStatus } from './lib/yjsServer.js';
-import { assertOwnerConsistency } from './lib/managedState.js';
-
-const REQUIRED = [
-  'VAULT_PATH',
-  'JWT_SECRET',
-  'DISCORD_CLIENT_ID',
-  'DISCORD_CLIENT_SECRET',
-  'DISCORD_REDIRECT_URI',
-  'DISCORD_GUILD_ID',
-  'OWNER_DISCORD_ID',
-];
-
-function validateEnv() {
+import { loadManagedState } from './lib/managedState.js';
+import { DEFAULT_ENV_FILE } from './cli/constants.js';
+
+const REQUIRED = ['JWT_SECRET'];
+
+function validateEnv({ allowSetupMode = false } = {}) {
   for (const key of REQUIRED) {
     if (!process.env[key]) {
       throw new Error(`[startup] Missing required env var: ${key}`);
@@ -28,24 +22,31 @@ function validateEnv() {
   }
 
   const port = parseInt(process.env.PORT ?? '3000', 10);
-  const yjsPort = parseInt(process.env.YJS_PORT ?? '3001', 10);
   if (!Number.isInteger(port) || port <= 0) {
     throw new Error('[startup] PORT must be a positive integer');
   }
-  if (!Number.isInteger(yjsPort) || yjsPort <= 0) {
-    throw new Error('[startup] YJS_PORT must be a positive integer');
+
+  // Ensure packaged onboarding assets are available on startup.
+  const assetsRoot = fileURLToPath(new URL('./assets', import.meta.url));
+  if (!existsSync(assetsRoot)) {
+    throw new Error('[startup] Missing packaged assets directory');
   }
 
-  return { port };
+  const hasVaultPath = Boolean(String(process.env.VAULT_PATH ?? '').trim());
+  if (!hasVaultPath && !allowSetupMode) {
+    throw new Error('[startup] Missing required env var: VAULT_PATH');
+  }
+
+  return { port, hasVaultPath };
 }
 
 /**
  * Start Hive server runtime.
  *
- * @param {{ envFile?: string, quiet?: boolean }} [options]
+ * @param {{ envFile?: string, quiet?: boolean, allowSetupMode?: boolean }} [options]
  */
 export async function startHiveServer(options = {}) {
-  const { envFile, quiet = false } = options;
+  const { envFile, quiet = false, allowSetupMode = false } = options;
 
   dotenv.config(
     envFile
@@ -53,11 +54,17 @@ export async function startHiveServer(options = {}) {
       : undefined
   );
 
-  const { port } = validateEnv();
-  await assertOwnerConsistency(process.env.VAULT_PATH, process.env.OWNER_DISCORD_ID);
+  process.env.HIVE_ENV_FILE = envFile || process.env.HIVE_ENV_FILE || DEFAULT_ENV_FILE;
+
+  const { port, hasVaultPath } = validateEnv({ allowSetupMode });
+  if (hasVaultPath) {
+    await loadManagedState(process.env.VAULT_PATH);
+  }
 
   const app = express();
   const httpServer = createServer(app);
+  app.locals.hiveEnvFile = process.env.HIVE_ENV_FILE;
+  app.locals.activateRealtime = null;
 
   const io = new Server(httpServer, {
     cors: {
@@ -68,9 +75,28 @@ export async function startHiveServer(options = {}) {
 
   app.use(express.json());
 
+  // Allow desktop plugin fetch calls (Authorization header triggers preflight).
+  app.use((req, res, next) => {
+    res.setHeader('Access-Control-Allow-Origin', '*');
+    res.setHeader('Access-Control-Allow-Methods', 'GET,POST,PUT,PATCH,DELETE,OPTIONS');
+    res.setHeader('Access-Control-Allow-Headers', 'Authorization,Content-Type');
+    if (req.method === 'OPTIONS') {
+      res.sendStatus(204);
+      return;
+    }
+    next();
+  });
+
+  const setupRequired = (req, res, next) => {
+    if (!String(process.env.VAULT_PATH ?? '').trim()) {
+      return res.status(503).json({ ok: false, error: 'Setup required: configure vault path first.' });
+    }
+    next();
+  };
+
   // Auth routes
-  app.use('/auth', authRoutes);
-  app.use('/managed', managedRoutes);
+  app.use('/auth', setupRequired, authRoutes);
+  app.use('/dashboard', dashboardRoutes);
 
   // Health check
   app.get('/health', (req, res) => res.json({ ok: true, ts: Date.now() }));
@@ -84,23 +110,46 @@ export async function startHiveServer(options = {}) {
     });
   }
 
-  attachHandlers(io, getActiveRooms, broadcastFileUpdated, forceCloseRoom);
-  startYjsServer(broadcastFileUpdated);
+  let realtimeActive = false;
+  let yjsWss = null;
+  const activateRealtime = async () => {
+    if (realtimeActive) return;
+    const vaultPath = String(process.env.VAULT_PATH ?? '').trim();
+    if (!vaultPath) return;
+    await loadManagedState(vaultPath);
+    attachHandlers(io, getActiveRooms, broadcastFileUpdated, forceCloseRoom);
+    yjsWss = startYjsServer(httpServer, broadcastFileUpdated);
+    httpServer.on('upgrade', (req, socket, head) => {
+      const { pathname } = new URL(req.url, 'http://localhost');
+      if (pathname.startsWith('/yjs')) {
+        yjsWss.handleUpgrade(req, socket, head, (ws) => {
+          yjsWss.emit('connection', ws, req);
+        });
+      }
+      // Socket.IO handles /socket.io upgrades automatically via its own listener
+    });
 
-  // Chokidar watch for external (non-plugin) changes
-  vault.initWatcher((relPath, event) => {
-    const docName = encodeURIComponent(relPath);
-    if (getActiveRooms().has(docName)) {
+    vault.initWatcher((relPath, event) => {
+      const docName = encodeURIComponent(relPath);
+      if (getActiveRooms().has(docName)) {
+        if (!quiet) {
+          console.log(`[chokidar] Ignoring external change to active room: ${relPath}`);
+        }
+        return;
+      }
       if (!quiet) {
-        console.log(`[chokidar] Ignoring external change to active room: ${relPath}`);
+        console.log(`[chokidar] External ${event}: ${relPath}`);
       }
-      return;
-    }
-    if (!quiet) {
-      console.log(`[chokidar] External ${event}: ${relPath}`);
-    }
-    io.emit('external-update', { relPath, event });
-  });
+      io.emit('external-update', { relPath, event });
+    });
+
+    realtimeActive = true;
+  };
+  app.locals.activateRealtime = activateRealtime;
+
+  if (hasVaultPath) {
+    await activateRealtime();
+  }
 
   await new Promise((resolve, reject) => {
     httpServer.once('error', reject);
@@ -109,7 +158,11 @@ export async function startHiveServer(options = {}) {
 
   if (!quiet) {
     console.log(`[server] Hive server listening on port ${port}`);
-    console.log(`[server] Vault: ${process.env.VAULT_PATH}`);
+    if (String(process.env.VAULT_PATH ?? '').trim()) {
+      console.log(`[server] Vault: ${process.env.VAULT_PATH}`);
+    } else {
+      console.log('[server] Setup mode: VAULT_PATH not configured yet');
+    }
   }
 
   return {